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DETAILED ACTION 

1 . Claims 1 -57 are pending. 

2. Information disclosure statements submitted 6/4/01, 4/28/03, 5/14/03, and 
10/28/03 have been received and considered. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

4. Claims 1-6, 14-15, 18-21 , 25-26, 32, 34, 37-42, 50-51 , and 54-56 are rejected 
under 35 U.S.C. 102(e) as being anticipated by Gleichauf et al US Patent No. 

6,301 ,668. Gleichauf discloses a method for adaptive network security using network 
vulnerability assessments. 

5. With regards to claims 1 , 14, 18, 37, 50, 54, 56, Gleichauf teaches the detecting 
of a data signature (Gleichauf, column 6 lines 36-45) and the correlating of the data 
signature with a fingerprint of the target to determine to what extent the target is 
vulnerable to the data signature (Gleichauf, column 6 lines 51-56, likelihood of success). 
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6. With regards to claims 2, 25, 34, 38, Gleichauf teaches the evaluating of 
contextual information relating to the data signature to determine a likelihood that the 
target is under attack (Gleichauf, column 6 lines 25-36). 

7. With regards to claims 3, 20, 39, Gleichauf teaches the fingerprint including a 
target node's operating system (Gleichauf, column 3 lines 62-65). 

8. With regards to claims 4, 21 , 40, Gleichauf teaches the fingerprint including the 
node's processor type (Gleichauf, column 3 lines 62-65, devices, column 7 lines 1-4). 

9. With regards to claims 5, 1 5, 26, 41,51, Gleichauf teaches the contextual 
information including a particular network protocol with which the data signature was 
transmitted (Gleichauf, column 8 lines 28-45, column 6 lines 25-36). 

10. With regards to claim 6, 42, Gleichauf teaches the generating of a first alert 
condition upon determining that the target node is vulnerable to the data signature 
(Gleichauf, column 8 lines 28-52, determined probability of success, prioritizing 
monitoring). 

1 1 . With regards to claims 1 9, 55, Gleichauf teaches the fingerprint including a 
particular service executed on the target (Gleichauf, column 7 lines 51-60, services). 

1 2. With regards to claim 32, Gleichauf teaches the profiling of the target to 
determine which ports are open by passively listening to what traffic succeeds in talking 
to/from the target (Gleichauf, column 7 lines 40-49). 



Claim Rejections - 35 USC § 103 
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13. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

14. Claims 7-8, 10-12, 22, 27, 29-31, 43-44, 46-48, 57 are rejected under 35 U.S.C. 
1 03(a) as being unpatentable over Gleichauf et al US Patent No. 6,301 ,668 in view of 
Conklin et al US Patent No. 5,991,881. Conklin teaches a network surveillance system. 

15. With regards to claims 7, 43, Gleichauf fails to teach the listening for a response 
to a data signature from the target. Conklin teaches the listening for a response to a 
data signature from the target (Conklin, column 6 lines 21-43, column 7 lines 25-29, 
evidence logging function). At the time the invention was made, it would have been 
obvious to a person of ordinary skill in the art to utilize Conklin's method of listening with 
Gleichauf s adaptive security system because it offers the advantage of ensuring 
continuing reporting of all pertinent activities following the detection of a predefined alert 
condition (Conklin, column 1 lines 35-49). 

16. With regards to claims 8, 44, Gleichauf as modified teaches the determining 
whether the target node's response or lack of a response is suspicious (Gleichauf, 
column 7 lines 29-38). 

1 7. With regards to claims 1 0, 46, Gleichauf as modified teaches the generating of a 
second alert condition upon determining that the target node's response or lock of a 
response is suspicious (Conklin, column 7 lines 25-38, alert notification). 
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18. With regards to claims 1 1 , 47, Gleichauf as modified teaches the combining of 
the second alert with the first, thereby updating the first alert with information within the 
second alert (Conklin, column 8 lines 6-14, column 7 lines 44-50). 

19. With regards to claims 12, 48, Gleichauf fails to teach the listening for behavior of 
the target node and sending an alert condition. Conklin teaches the listening for 
behavior of the target node (Conklin, column 8 lines 1-5) and generating a second alert 
condition upon determining that the target node's behavior is suspicious (Gleichauf, 
column 7 lines 51-61). At the time the invention was made, it would have been obvious 
to a person of ordinary skill in the art to utilize Conklin's method of listening to the 
behavior of the target with Gleichauf s adaptive security system because it offers the 
advantage of ensuring continuing reporting of all pertinent activities following the 
detection of a predefined alert condition (Conklin, column 1 lines 35-49). 

20. With regards to claims 22, 29 and 57, Gleichauf fails to teach the monitoring of 
responses from the target following the data signature and determining a likelihood of 
whether the target is under attack based on the data signatures of the responses. 
Conklin teaches the monitoring of responses from the target following the data signature 
and determining a likelihood of whether the target is under attack based on the data 
signatures of the responses (Gleichauf, column 7 lines 29-38). At the time the invention 
was made, it would have been obvious to a person of ordinary skill in the art to utilize 
Conklin's method of listening with Gleichauf s adaptive security system because it offers 
the advantage of ensuring continuing reporting of all pertinent activities following the 
detection of a predefined alert condition (Conklin, column 1 lines 35-49). 
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21 . With regards to claim 27, Gleichauf fails to teach the protocol being FTP. 
Conklin teaches the protocol being FTP (Conklin, column 3 lines 8-14). At the time the 
invention was made, it would have been obvious to a person of ordinary skill in the art to 
use Conklin's method of monitoring FTP with Gleichauf s adaptive security system 
because it offers the advantage of allowing the monitoring of one of the principal 
network protocols used to transfer files. 

22. With regards to claims 30-31 , Gleichauf fails to teach the current state 
comprising an inbound or outbound connection from the target following a detected 
signature. Conklin teaches the current state comprising an inbound or outbound 
connection from the target following a detected signature (Conklin, column 8 lines 1-5). 
At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to utilize Conklin's method of listening with Gleichauf s adaptive security 
system because it offers the advantage of ensuring continuing reporting of all pertinent 
activities following the detection of a predefined alert condition (Conklin, column 1 lines 
35-49). 

23. Claims 9, 23 and 45 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gleichauf et al US Patent No. 6,301 ,668 and Conklin et al US Patent No. 

5,991 ,881 , as applied to claims 8, 22, and 44 above, and in further view of Krumel US 
PGPub 2002/0083331. 

24. With regards to claims 9, 23 and 45, Gleichauf as modified above fail to teach the 
determining if a packet is an unknown command. Krumel teaches the determining if a 
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packet is an unknown command (Krumel, Page 7, Paragraph 0085, unknown packet 
type). At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to utilize Krumel's method of detecting unknown commands 
because it offers the advantage of ensuring that no packets that do not fit set security 
filters are allowed to pass in and out of a network (Krumel, Page 7, Paragraph 0085 and 
Page 7 Paragraph 0087). 

25. Claims 13 and 49 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gleichauf et al US Patent No. 6,301 ,668 and Conklin et al US Patent No. 
5,991 ,881 , as applied to claims 1 1 and 47 above, and in further view of Zhang et al 
"Detecting Backdoors." 

26. With regards to claims 13 and 49, Gleichauf as modified above fails to teach 
suspicious behavior comprising the transmitting of a root shell prompt to a suspect 
node. Zhang teaches teach suspicious behavior comprising the transmitting of a root 
shell prompt to a suspect node (Zhang, Page 12, Section 4.5, Root Backdoor). At the 
time the invention was made, it would have been obvious to a person of ordinary skill in 
the art to utilize Zhang's method of detecting root shell transmissions with Gleichauf as 
modified because it offers the advantage of preventing an attack from gaining 
unauthorized access to a system by the use of a backdoor (Zhang, Page 1 Section 

1. Introduction). 
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27. Claims 16, 35, and 52 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Gleichauf et al US Patent No. 6,301,668 in view of Ji et al US Patent 
No. 6,728,886. Ji discloses a distributed virus scanning arrangement. 

28. With regards to claims 16, 35, and 52, Gleichauf, as described above, fails to 
teach the protocol being HTTP protocol. Ji teaches a data signature being a message 
in the form of the HTTP protocol (Ji, column 6 lines 23-38). At the time the invention 
was made, it would have been obvious to a person of ordinary skill in the art to utilize 
Ji's method of detecting HTTP with Gleichauf's adaptive security system because it 
offers the advantage of allowing the monitoring of a popular method of transferring data 
across the internet thus reducing the likelihood of a security breach (Ji, column 1 line 63 
- column 2 line 8). 

29. Claims 17 and 53 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gleichauf et al US Patent No. 6,301 ,668 and Ji et al US Patent No. 6,728,886, as 
applied to claim 16 above, and in further view of Farrow "Security Reality Check." 

30. With regards to claims 1 7 and 53, Gleichauf as modified above fails to teach the 
detecting of a data signature of "cgi-bin/phf." Farrow teaches the detection of the data 
signature of "cgi-bin/phf (Farrow, Page 2, "Stealth Attacks" Paragraph 4). At the time 
the invention was made, it would have been obvious to a person of ordinary skill in the 
art to utilize Farrow's method of detecting the data signature of "cgi-bin/phf because it 
offers the advantage of helping prevent attacks because the data signature is a valid 
indication of an attack upon a system (Farrow, Page 2, "Stealth Attacks" Paragraph 4). 
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31 . Claim 24 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Gleichauf et al US Patent No. 6,301,668, Conklin et al US Patent No. 5,991,881, and 
Krumel US PGPub 2002/0083331 , as applied to claim 23 above, and in further view of 
Zhang et al "Detecting Backdoors." 

32. With regards to claim 24, Gleichauf as modified teaches the data signature being 
FTP (Conklin, column 3 lines 8-14), but fails to teach the response being a raw shell 
connection. Zhang teaches teach suspicious behavior comprising the transmitting of a 
root shell prompt to a suspect node (Zhang, Page 12, Section 4.5, Root Backdoor). At 
the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to utilize Zhang's method of detecting root shell transmissions with 
Gleichauf as modified because it offers the advantage of preventing an attack from 
gaining unauthorized access to a system by the use of a backdoor (Zhang, Page 1 
Section 1. Introduction). 

33. Claim 28 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Gleichauf et al US Patent No. 6,301 ,668 and Conklin et al US Patent No. 5,991 ,881 , as 
applied to claim 27 above, and in further view of Bernhard et al US Patent No. 
6,275,942. 

34. With regards to claim 28, Gleichauf as modified above fails to teach the data 
signature being passwd in a context where filenames are likely to appear. Bernhard 
teaches the data signature being passwd in a context where filenames are likely to 
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appear (Bernhard, column 13 lines 20-34). At the time the invention was made, it would 
have been obvious to a person of ordinary skill in the art to utilize Bernhardt method of 
checking for passwd because it offers the advantage of helping ensure that the 
/etc/passwd file remains secure from attacks (Bernhard, column 13 lines 20-34). 

35. Claims 33 and 36 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gleichauf et al US Patent No. 6,301 ,668 in further view of Krumel US PGPub 
2002/0083331. 

36. With regards to claim 33, Gleichauf as described above fails to teach the 
determining if a packet is an unknown command. Krumel teaches the determining if a 
packet is an unknown command (Krumel, Page 7, Paragraph 0085, unknown packet 
type). At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to utilize Krumel's method of detecting unknown commands 
because it offers the advantage of ensuring that no packets that do not fit set security 
filters are allowed to pass in and out of a network (Krumel, Page 7, Paragraph 0085 and 
Page 7 Paragraph 0087). 

37. With regards to claim 36, Gleichauf, as described above, fails to teach the 
protocol being RPC. Krumel teaches the protocol being RPC (Krumel, pages 23-24, 
paragraph 0191 ). At the time the invention was made, it would have been obvious to a 
person of ordinary skill in the art to utilize Krumers method of monitoring the RPC 
protocol because it offers the advantage of allowing the monitoring of communications 
between gateways and PLD devices (Krumel, pages 23-24, paragraph 0191). 



Application/Control Number: 09/874,574 



Art Unit: 2134 



Page 1 1 



Conclusion 



38. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Andrew L Nalven whose telephone number is 571 272 
3839. The examiner can normally be reached on Monday - Thursday 8-6, Alternate 
Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse can be reached on 571 272 3838. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 






